Apparatus for key distribution in an encryption system

ABSTRACT

An encryption/description apparatus enables encrypted communication between two stations each incorporating such an apparatus. The apparatus is arranged when acting as sender to create (at 71) a mutual primitive from stored items of data, to generate a random session key and encrypt the random session key (at 73) in accordance with the mutual primitive for transmission of the encrypted session key to the recipient station. The sender apparatus further encrypts the main message (at 72) in accordance with the random session key for transmission of the encrypted message to the recipient station. The sender apparatus also stores a registration code and transmits this to the recipient station, where it is decoded (at 74) to recreate the mutual primitive from items of data stored at the recipient station. The recipient apparatus decrypts the encrypted session key (at 75), using the recreated mutual primitive, and then decrypts the main message (at 76) using the recreated random session key.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to arrangements for the automaticencryption and decryption of electronically transmitted messages,particularly in the fields of telephone, facsimile or computer datatransmission for example.

2. State of the Art

In general, for the purposes of encrypting transmissions, the message isencrypted in accordance with a selected key. In transmission networks,all key generating systems aim to avoid an exponential growth in thenumber of encryption keys needed to serve the network, as the number ofstations increases. Thus, the number of encryption keys needed is equalto N(N-1)/2, where N is the number of stations in the network. If thereare 5 stations, the number of keys required (to provide a unique key foreach pair of the network) is 5×4/2=10. However, if the number ofstations grows to say 1000, the number of encryption keys required is1000×999/2=499500.

Strong encryption depends upon a frequent change of the encryption keyused for the transmission between each pair of stations: preferably theencryption key is changed for each transmission (or session). This thenposes difficult problems for the dissemination or distribution ofencryption keys in a large network of stations.

One solution to this problem is to provide a key distribution centre(KDC) situated in the network, which by some means distributesencryption keys securely on an ad hoc basis to both the sender andrecipient of each transmission. Clearly these encryption keys cannot besent openly, so the system requires a second level of encryption.

Another, and now generally favoured solution, is a system in which theproblem of providing secret key distribution becomes irrelevant becauserecipient's keys are fixed and publicly known, so that it is onlynecessary for the sender to look up the recipient's public key (ratherlike looking up his telephone number), after which security oftransmission is safeguarded by the mathematical logic and algorithmsused in the message encryption and decryption processes. The outstandingcontribution in this field is the system known as the RSA public keyencryption system.

In the RSA system, a secure and tamper-proof memory store holds dataderived form two very large, secret prime numbers, the product of whichis the so-called "public key". The RSA system uses this data forgenerating encryption keys to allow an independently-designed cypher totransmit information securely between a pair of stations. If the valueof either prime number becomes known, all future transmitted messagesare breakable (decypherable). Like any other system using fixed keys,the RSA system is secured only by the physical difficulty of accessingthe secret data and the complexity of running trial-and-error attemptsto break the key.

SUMMARY OF THE INVENTION

In accordance with this invention, there is provided anencryption/decryption apparatus to enable encrypted communicationbetween two stations each incorporating such an apparatus, saidapparatus being arranged to create a mutual code from stored items ofdata, to generate a random session key and encrypt the random sessionkey in accordance with the mutual code for transmission of the encryptedsession key to a recipient station, to encrypt a main message inaccordance with the random session key for transmission of the encryptedmessage to the recipient station, and to store a registration code fortransmission to the recipient station to enable the recipient station todecode the registration code to thereby recreate said mutual code formitems of data stored at the recipient station.

In use the encryption/decryption apparatus at the sender stationtransmits the encrypted session key and the registration code aspreliminary items of data (or headers) to the main message. Theencryption/decryption apparatus at the recipient station decodes theregistration code to recreate the mutual code, using items of datastored at the recipient station: preferably these items of data includeunique identity cods of the recipient station and also codesrepresenting the addresses (e.g. telephone numbers) of the sender andrecipient. The recipient encryption/decryption apparatus is then able todecrypt the encrypted session key, in accordance with its recreatedmutual code, in order to recreate the random session key. The receivedencrypted main message can then be decrypted, using the recreated randomsession key.

At the sender, the items of data, from which the mutual code is created,preferably include unique identity codes of the sender station and alsocodes representing the addresses (e.g. telephone numbers) of the senderand recipient. Preferably at the sender, the mutual code is formed by anirreversible encryption: an irreversible encryption is achieved in thatthe encryption key is derived in part form the code to be encrypted--theoriginal code cannot then be recreated form the encrypted code.

Preferably the registration code is created and stored in the sender'sencryption/decryption apparatus in an initial registration procedure, inwhich both sender and recipient make use of a predetermined key which isagreed in advance between the sender and recipient. Thus, preferably thesender apparatus creates the mutual code (as described above) andencrypts this using the agreed key to form a transfer key, which istransmitted to the recipient. The recipient apparatus is able to use theagreed key to decrypt the transfer key in order to recreate the mutualcode. The recipient apparatus now encrypts the mutual code in accordancewith a further key to create the registration code, which is transmittedback to the sender apparatus for storing in its memory: this furthercode, used by the recipient apparatus to encrypt the mutual code,preferably uses items of data stored by the recipient apparatus (e.g.including unique identity codes of the recipient and the addresses--e.g.telephone numbers--of both sender and recipient).

Preferably the agreed key is not stored at either sender or recipient,although if it is stored, then after it has been used for theregistration procedure, it is erased from memory at both sender andrecipient stations. It will be noted that although the mutual code isindependently created at both sender and recipient stations (firstlyduring registration and subsequently during each transmission), it isnot retained in memory. Likewise, the transfer key is not stored ineither sender or recipient apparatus, and the registration code isstored by the sender only.

The registration procedure is performed a first time to enable a firststation, of a given pair of stations, to transmit to the second stationof the pair, and must be performed a second time to enable the secondstation of the pair to transmit to the first. Thus each station willstore a registration code enabling it to transit in future to the otherstation of the pair: but before the station can transmit to any otherstation in the network, it must undertake a similar registrationprocedure with each such other station (preferably using a differentagreed key in each case).

Embodiments of this invention will now be described by way of examplesonly and with reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic block diagram of an encrypting /decrypting unitincluded in or associated with each sender/recipient machine;

FIG. 2 is a flow diagram to explain the principles of a symmetricalgorithm used to encrypt a message;

FIG. 3 is a similar flow diagram to explain the reverse algorithm usedto decrypt an encrypted message;

FIG. 4 is a flow diagram to explain the irreversible encryption of amessage;

FIG. 5 is a flow diagram to explain the generation of a pseudo-randomstream;

FIG. 6 is a flow diagram to explain the operation ofencrypting/decrypting units at sender and recipient stations for thepurposes of mutual registrations;

FIG. 7 is a flow diagram to explain the operation of theencrypting/decrypting units at sender and recipient stations forautomatic, encrypted communication;

FIG. 8 is a flow diagram to explain the generation of a two-time key;and

FIG. 9 is a flow diagram to explain the operation ofencrypting/decrypting units at the sender and recipient stations for thepurposes of automatic registrations.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Referring to FIG. 1, there is shown an encryption/decryption unitincorporated in or associated with the transmitter/receiver machine ateach station of a communications network. Each such unit comprises apower supply terminal 1 for use where power is not supplied by the hostmachine, an optional battery back-up 2 to maintain power to the unit'smemory in the event of loss of mains power, first and second memorystores 3, 4 holding data programmed into the unit at manufacture, amemory store 5 holding data supplied by data sources in communicationwith the unit, and a memory store 6 holding data programmed into theunit at installation and immediately prior to use. The unit furthercomprises a microprocessor 7 which runs a key management algorithm(KMA), and a microprocessor 8 which runs a message encryption algorithm(MEA), which may be a DES (data encryption standard) or otherproprietary encryption algorithm. The unit also comprises a serial dataport 9 for use when the unit is connected between a data terminal and amodem, and a parallel data port 10 for use when the unit is connected toa device for transmitting additional data. Control keys 11 include apower on/off switch and a mode selection keys. Coloured display lights12 indicate power on/off and the various modes selected by the selectionkeys 11.

The key management algorithm (KMA) operates substantially as a streamcypher algorithm: the characteristics of a stream cypher will now beexplained.

Stream cyphers are well-known in the encypherment art and spring from aprinciple first established by Vigenere in the sixteenth century. Inmodern form, a pseudo-random stream is derived using a key from aplurality of smaller numbers, so-called primitives. A simple example ofencypherment using a pseudo-random stream, and based on the 26 lettersof the alphabet, illustrates the principle:

    ______________________________________                                        Plain message                                                                          E     N     E   M   Y    A    T   T   A   C   K                      Pseudo-random                                                                          16    3     25  19  7    13   21  0   3   16  9                      stream                                                                        ______________________________________                                    

The plain message is encyphered by adding the successive numbers of thestream to numbers representing the successive characters of the plainmessage (the latter numbers being allocated on the basis of A=0, B=1 . .. Z=25), giving in this case the encyphered message:

    U Q D F F N O T D S T

Note for example that M=12, so M+19=31, and 31=(25)+5, 5=F.

This message is decrypted by subtracting the successive numbers of thesame pseudo-random stream from the numbers representing the successivecharacters of the encyphered message. The cypher is therefore symmetric,in that the same primitives are used to generate the same pseudo-randomstream for encryption or decryption.

FIGS. 2 and 3 schematically show the principles of the stream cypherused in the key management algorithm KMA by the processor 7. A pluralityof primitives are derived from a variables A, B, C, D . . . and used toform a pseudo-random stream PPPPP . . . . The variables A, B, C, D . . .might include a fax number, a 100 character string, even a shortmessage, or the output of an earlier encryption procedure. Provided thevalues of the variables A, B, C, D . . . remain unchanged and thealgorithm is altered from "addition" (+1 i.e. encryption) to"subtraction" (-1 i.e. decryption), then wilst FIG. 2 provides anencyphered text 20 from plaintext 21, FIG. 3 represents the inverse ofFIG. 2 and reforms the original plaintext 21 from the encyphered text20.

However, instead of the reversible mode illustrated by FIGS. 2 and 3,the key management algorithm may be used in an irreversible mode: thatis to say, an encryption procedure can be performed, but the inverseprocedure cannot logically occur. Thus, referring to FIG. 4, one of theprimitives for the pseudo-random stream is derived from a variable Ewhich also forms the plain message to be encrypted: it is thereforeimpossible to recreate the plain message E; thus for decryption, theprimitive derived from E is unknown and the pseudo-random stream cannotbe formed, so that the encryption is irreversible.

In accordance with this invention, it is necessary for theencryption/decryption units at the two stations to undergo aregistration procedure to enable them subsequently to communicate witheach other. The procedure in this registration mode will now bedescribed with reference to FIG. 6.

The registration procedure makes use of a 56-characterrandomly-generated secret code (Unique Identity String S) which has beenprogrammed into the memory store 3 of the sender unit, and a12-character randomly-generated code (Unique Crypt String S) which hasbeen programmed into the memory store 4. Primitives are derived from thesender's and recipient's addresses (ADS-S and ADS-R) and from thesender's Unique Identity String S and Unique Crypt String S, and apseudo-random stream PPPP . . . is generated from these primitives. TheUnique Crypt String S also forms the message which is now encrypted at61 using the key management algorithm (KMA+1) and, because the UniqueCrypt String S is used both as the message and to derive one of theprimitives, the encryption is irreversible: the output is termed herethe Mutual Primitive. Next this Mutual Primitive is encrypted at 62 by aone-time key using the key management algorithm (KMA+1) to form aTransfer key, which is then transmitted to the recipient station.

The encryption/decryption unit at the recipient station now uses theone-time key and the key management algorithm (KMA-1) at 63 to decryptthe Transfer key and so re-create the Mutual Primitive. For thispurpose, both sender and recipient must agree the one-time key inadvance, using a separate communication medium: for example if thecommunication medium which is required to be encyphered is facsimile,the one-time key may be agreed by means of a telephone conversation overa different telephone line, or through the postal service.

Next the unit at the recipient station generates a pseudo-random streamfrom primitives derived from the recipient's and sender's addresses(ADS-R and ADS-S) and from its own Unique Identity String R and UniqueCrypt String R: this stream is used at 64 to encrypt the MutualPrimitive, using the key management algorithm (KMA+1), to form aRegistered Crypt String, which is then transmitted in plain to thesender station and stored in its memory store 5, along with therecipient's address, for use in future automatic communications betweenthese particular two stations.

The registrations process has stored the Registered Crypt String in thesender's unit, and both stations will subsequently be able to recreate amutual secret (the Mutual Primitive) to enable future automatic butencrypted communications between the two stations. The Mutual Primitiveis not however stored in either sender or recipient unit, or if it istemporarily stored it is erased after its use in the registrationprocedure. The automatic communication mode will now be described withreference to FIG. 7.

The sender station creates the main message, which is to be encrypted atthe sender unit, then to be transmitted in securely encrypted form tothe recipient station, and to be decrypted at the recipient station tore-create the main message. In order to do this, the following steps arecarried out.

The sender unit re-creates the Mutual Primitive, using the keymanagement algorithm (KMA+1) at 71 to encrypt the Unique Crypt String Susing the pseudo-random stream generated by primitives derives (aspreviously) from the sender's and recipient's addresses (ADS-S andADS-R), the Unique Identity String S and the Unique Crypt String S. Thesender's key management algorithm also at 72 creates a random sessionkey, which is then used to encrypt the main message using a messageencryption algorithm (MEA+1), to form the encrypted main message.

The random session key is also encrypted by the Mutual Primitive at 73using the key management algorithm (KMA+1), to form the encryptedsession key. The registered crypt string and the encrypted session keyare transmitted, as headers to the encrypted main message, to therecipient station.

The recipient station unit re-creates the pseudo-random stream from theprimitives derived from the recipient's and sender's addresses (ADS-Rand ADS-S) and the recipient's Unique Identity String R and Unique CryptString R. This pseudo-random stream decrypts the registered crypt stringat 74 using the key management algorithm (KMA-1), to re-create theMutual Primitive. This re-created Mutual Primitive de-crypts theencrypted session key at 75, again using the key management algorithm,to-recreate the random session key at the recipient. The recipient unitnow has the essential key (the random session key) required to decryptthe main message, at 76.

It will be appreciated that a fresh session key will be generated foreach new transmission. Indeed, even within a given transmission (orsession), the session key can be changed periodically, e.g. afterpredetermined intervals of time or, in the case of a facsimiletransmission, at the end of each page (or even at the end of each line)of a transmitted text.

It will be appreciated that, in registration mode, double registrationis required between each pair of stations, first one station acting assender and the other as recipient and then these roles being exchanged,so that communication in either direction can be carried outsubsequently. There is little sacrifice of security if the same one-timekey is used for both registrations between the same pair of stations.

In the case of managed networks, for example a network of branch officesof a back, all potential users of the system are known at the time ofinstallation of the network. For these cases, preferably theencryption/decryption unit is arranged to enable an automaticregistration procedure, eliminating the need for each pair of stationsto devise and exchange one-way keys. This automatic registrationoperates as follows.

A master version of the key management algorithm is run on a processor,e.g. a PC, which is separate from the network, and operates as shown inFIG. 5 to produce a pseudo-random stream which is used to derive atwo-time key for each pair of stations: the key is called a two-time keybecause it serves as a key for a two-way registration procedure betweenthe relevant pair of stations. FIG. 8 shows how the two-time key iscreated, namely by applying the key management algorithm at 81 to apseudo-random stream based on a system primitive and primitives derivedform the addresses of the two stations (ADS-S and ADS-R).

Memory store 6 of each encryption/decryption unit then stores a set oftwo-time keys, needed for registration of that unit with each of theother units in the network. For example in the case of a network of 1000stations, the memory store 6 of each encryption unit stores 999 two-timekeys, each of six figures.

Automatic registration will now be further explained with reference toFIG. 9: the similarity to FIG. 6 will be noted and correspondingreference numerals are used. In automatic registration suppose one unit,acting as sender, wishes to register with another unit. The sender unitsearches for the appropriate two-time key, and recognizes three possibleconditions. In the first condition, the relevant two-time key has notyet been used for registration: the two stations proceed withregistration generally as set out in FIG. 9, the registration thusenabling future transmission from the one unit to the other. In thesecond condition, the sender unit finds that the relevant two-time keyhas been used once before: the second registration is now performed,with the roles of sender and recipient being reversed. Now that thetwo-time key has been used twice, and therefore fulfilled its purposes,each of the pair of units erases the relevant two-time key from itsmemory store 6. In the third condition, the unit finds that the relevanttwo-time key has already been used twice and erased from memory: therelevant pair of units will therefore proceed with automatic encypheredcommunication.

It will be appreciated that the present invention avoids the need, whichis common in prior art systems, for an exchange to take place betweensender and recipient, prior to transmission of the encrypted message, inorder that the recipient will know the session key to be used. Thus, theinvention involves a once-and-for-all registration procedure, which thenholds good for all future transmissions but still different session keysare used at different times. In particular, all initiatives prior to atransmission involve the sender only: the sender's message is completein itself and contains all the necessary information for the recipientto convert the message to plain. The only information which is requiredto be securely protected is a pair of unique identifiers (the uniqueidentity string and the unique crypt string), and in practice both thesemay be contained in a single string. All other information is eithercreated afresh with each transmission (the mutual primitive) or has nosecrecy value (the registered crypt string).

I claim:
 1. An encryption/decryption apparatus to enable encryptedcommunication between two stations, each operable as a sender and arecipient and each incorporating such an apparatus, said apparatus beingoperable in both registration mode and in encrypted communication mode,said apparatus comprising:a) memory means for storing a first set ofdata items which include first secret data items and also storing asecond set of data items which include second secret data items; b)means for entering a pre-agreed key into said encryption/decryptionapparatus; c) means for sender registration including means for creatinga mutual code from said first set of data items, means for encryptingsaid mutual code using said pre-agreed key to form a transfer key, andmeans for transmitting said transfer key to a recipient, said means forsender registration operable when said apparatus is acting as sender inregistration mode; d) means for recipient registration including meansfor decrypting a received said transfer key using said pre-agreed key torecreate said mutual code, means for deriving a further key from saidsecond set of data items, means for encrypting said recreated mutualcode in accordance with said further key to thereby create aregistration code, and means for transmitting said registration code toa sender, said means for recipient registration operable when saidapparatus is acting as recipient in registration mode; e) means forreceiving and storing said registration code from the recipient, saidmeans for receiving and storing operable when said apparatus is actingas sender in registration mode; f) means for sender communicationincluding means for recreating said mutual code from said first set ofdata items, means for generating a random session key, means forencrypting said random session key in accordance with said mutual code,means for transmitting said encrypted random session key and saidregistration code to the recipient, and means for encrypting a mainmessage in accordance with said random session key and transmitting saidencrypted main message to the recipient, said means for sendercommunication operable when said apparatus is acting in encryptedcommunication mode as sender to the recipient with which registrationhas been made; and g) means for recipient communication including meansfor decrypting said registration code received from the sender usingsaid second set of data items to thereby recreate said mutual code,means for decrypting said encrypted random session key received from thesender using said recreated mutual code, and means for decrypting saidencrypted main message received from the sender using said decryptedrandom session key, said means for recipient communication operable whensaid apparatus is acting as recipient in encrypted communication mode.2. An apparatus according to claim 1, wherein when said apparatus isacting as sender in encrypted communication mode, said means for sendercommunications is arranged to transmit the encrypted random session keyand registration code related to the recipient as items of datapreliminary to the encrypted main message.
 3. An apparatus according toclaim 1, wherein when said apparatus is acting as one of sender inregistration mode and sender in encrypted communication mode, said meansfor creating said mutual code is arranged to form the mutual code by anirreversible encryption.